Limit Encryption Keys for Big Brother

By Jon Roland

Much has been discussed about the absurdity of the federal government
attempting to prohibit the export of strong encryption products as "munitions",
such as the Diffie-Hellman (D-H) class of algorithms represented by RSA and PGP
using keys of more than 40 digits. Comparisons have been made to King Canute
trying to command the tides. The abandonment by the U.S. Justice Department of
their case agains Phil Zimmerman on Jan. 11 is indicative that they might be
beginning to appreciate the futility of their position on this issue.

However, there is another side to the issue. While we don't want Big Brother
to be able to break our encrypted messages, there are good reasons why we want
to be able to break his.

The departure from office of the previous Administration was characterized
by a mad scramble to erase computer files and destroy their records. Fortunately
for history and law enforcement, many of those files were not overwritten on
their hard disks and could be recovered. We must expect that the next departing
Administration will not make the same mistake.

The longstanding method of keeping records of wrongdoing without subjecting
them to public scrutiny has been to classify them under the National Security
Act and other legislation. This method is still used in the defense sector, but
nondefense agencies must usually find other methods. Now they have one: they can
encrypt their files using RSA/PGP keys of 1024 bits (about 307 digits), keep
personal copies, then "lose" the keys to the copies left with the
agencies, making it effectively impossible for investigators to uncover what
they had been doing.

While we are pressing for recission of the export restrictions, we should
also be pushing for a law making it illegal for federal officials to encrypt
their records using RSA/PGP keys of more than say, 36 digits, and require that
they keep all such records on federal territory subject to exclusive national
jurisdiction (so that the criminal penalties could be constitutionally applied).
The law should extend to the records kept by government agents and contractors
that pertain to work done for the goveernment or available for their use, to
avoid having government agents subcontract the recordkeeping of their
wrongdoing. The law should also provide that all records should be associated
with an "owner", that is, a responsible individual who can be held
accountable for them.

A key length of 36 digits should protect the information from casual
decryption efforts, while leaving it feasible for decryption in response to a
court order or congressional subpoena, even if the keys are missing. If the keys
cannot be found and the key is longer, then the "owner" of that record
would be prosecuted, even if the contents could never be uncovered.